The Washington PostDemocracy Dies in Darkness

Why it can take so long for companies to reveal their data breaches

The credit reporting agency, Equifax, announced on Sept. 7 that a hack has impacted the credit histories of up to 143 million Americans. (Video: Amber Ferguson/The Washington Post)

A version of this story previously ran in 2016. This has been updated to reflect recent events.

Credit monitoring firm Equifax waited six weeks to disclose that sensitive information, such as Social Security numbers, birth dates and home addresses, of up to 143 million Americans were swept up in a data breach.

After last year's Yahoo incident, the lag has again raised questions about why companies delay telling consumers about data breaches, particularly when the hacks reveal deeply personal information.

Hackers access database that has personal data for 143 million Americans from credit reporting agency Equifax

The Equifax delay could have potentially disastrous consequences, said Hemanshu Nigam, founder of the online safety advocacy firm SSP Blue. This hack is particularly bad, he said, because Equifax holds exactly the kind of information that institutions use to verify people's information and protect against hackers.

“Hackers by now could have sold all your information online on the dark net. Someone could be using it and you wouldn’t even know yet,” he said.

Equifax did not say why it waited so long to disclose the breach. But it's common for companies to take their time in letting people know their information's been stolen.

Sometimes, companies don't realize they've been breached, as was the case with Yahoo in 2016, when it announced a huge data breach that happened in 2013. The company said it didn't know about the intrusion until years later, thanks to a team of outside investigators.

Even when companies do find a breach on their own, there are other reasons that people may not hear about it right away.

For one, law enforcement may ask a company to keep quiet so as not to alert hackers that a breach has been discovered; several state data breach disclosure laws say companies can delay disclosure for law enforcement requests.

Also, different types of information require different disclosures. Companies investigating hacks have to parse out whether financial, medical or other data has been taken and whether the theft of that information poses real harm to consumers.

Sorting all of that can take time, as each state has its own standards for when and how breaches that affect their residents must be reportedwhich can slow down the process. There are different notification laws in 48 states, plus D.C. and Puerto Rico, according to the National Conference of State Legislatures. (The only two states that do not have data breach notification laws are Alabama and South Dakota.)

Equifax asks consumers for personal info, even after massive data breach

Most states do not put a timeline on how quickly companies must notify customers after discovering a breach, though eight do: Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont. The timelines range from 30 days to 90 days. (California sets a timeline, but just for notice on breaches of medical information.)

Many companies and lawmakers have called for a national data breach notification law to provide a baseline standard for when customers should learn about hacks to help streamline the process.

Yet settling on what should be included in a basic, national law is tricky. Privacy advocates — who generally favor stronger laws on data breach notification — raised concerns about a national data breach notification law proposed in 2015. Advocates worried that federal standards would override some of the more protective measures passed in individual states such as California, which was the first state to enact a data breach notification law.

After the Equifax disclosure, Sen. Mark Warner (D-Va.) issued a statement Thursday calling for a federal data notification law. Warner, who has been advocating for a national law for years, said that the Equifax breach “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies” to discourage firms from amassing so much sensitive information.

Lawmakers have suggested data breach laws be passed along with data security standards — measures designed to have companies check their systems regularly for problems and head off more breaches in the first place. So have information security experts.

“The law should require, not just encourage, reasonable data security practices from companies that collect, process, and share personal information,” said law professor Woodrow Hartzog in a congressional testimony from 2015. “This will fortify the protection of personal information in the United States and help ensure that fewer breach notifications need to be sent at all.”

In the meantime, the best recourse for those who've had their information stolen is to check their credit report, said Eva Velasquez is the President and chief executive officer at the Identity Theft Resource Center. People may also want to put a credit freeze on their accounts, she said, to prevent fraud proactively.